The Federal Trade Commission’s latest delay in enforcing the Identity Theft Red Flags Rule is slated to expire on December 31, 2010. This fifth delay, which the FTC announced on May 28, 2010, was requested by members of Congress, who had been working to respond to the outcry over the FTC’s broad interpretation of the Rule. In the latest legislative initiative, on November 17, 2010, representatives Adler (D-NJ), Broun (R-GA) and Simpson (R-IN) advanced a bill (HR 6420) that seeks to limit the scope of the FTC’s Red Flags Rule by amending the Fair Credit Reporting Act’s (FRCA’s) definition of "creditor."

The FTC’s Red Flags Rule implements Section 114 of the FCRA. The Rule requires certain creditors and financial institutions subject to the FTC’s jurisdiction to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft.

The cause of the multiple enforcement delays is the Rule’s definition of "creditor" and the FTC’s broad interpretation of the term. Specifically, the FTC has taken the position that, in addition to entities that lend money or participate in credit decisions, a "creditor" subject to the Rule includes any entity that sells goods or services and allows customers to pay for the goods or services later. The FTC’s broad interpretation of the term "creditor" has thus turned any business that employs invoice billing into a creditor subject to the Rule.

The proposed bill seeks to largely limit the applicability of the Red Flags Rule to entities commonly understood to be creditors. Pursuant to the bill, "creditors" would be defined as entities that:

obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;

advance funds to or on behalf of a person (based on the person’s obligation to repay the funds or repayable from property pledged by or on behalf of the person).

More importantly, the proposed bill specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion suggests that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above.

The proposed legislation leaves the door open for the FTC to expand the definition of "creditor" through rulemaking, by making a determination that a particular type of creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft. While this provision leaves open the possibility that the FTC would bring various types of creditors within the scope of the Red Flags Rule, it would set at least a procedural threshold for expanding the scope of the Rule and would appear to require the determination to be specific to the type of creditor.

Although the attention in the debate about the Red Flags Rule has been on the definition of "creditor," the FTC’s Rule also applies to financial institutions that are not regulated by the Federal Reserve, OCC, FDIC or NCUA. Financial institutions subject to the FTC’s Red Flags Rule include entities such as state-chartered credit unions, mutual funds with check writing or debit privileges, insurance companies, brokers, dealers, investment advisers and investment companies. These and other financial institutions subject to the FTC’s jurisdiction must have an identity prevention program in place by December 31, 2010, to the extent they are required to do so by the Rule.

Subscribe to this blog by email

If you've been reading Techdirt for a while, you probably know that we're not big fans of this myth: "If you're not paying for the product, you are the product." Regardless of whether or not you pay for something, some companies will still treat their customers horribly. Likewise, there are also some corporations that try […]

We recently sneered at the publicity rights law suit brought against video game maker Activision by dictatorship-maker Manuel Noriega over his portrayal in the Call of Duty game series. The idea of a foreign historical/public figure filing suit against an American company for publicity rights, which tend to be quite localized to individual states, seemed […]

We've been covering the saga of Roca Labs for a few days now. This is the company that claims to make an "alternative" to gastric bypass surgery in the form of some "industrial food thickening agents" that (the company claims) will fill up your stomach and make you not want to eat. These claims are […]

Traditional newspapers: they're the best. In stark contrast with so-called "new media" on the internet, they're the professionals. They write the important stories, give us unbiased reports on all the things, and, most importantly, they have a monopoly on fact-checking. Except, of course, when they don't. Take the case of one young Australian, Abu Bakar […]

A Google Map search is seemingly the only piece of evidence tying former Cisco engineer Brad Cooper to the the murder of his wife, Nancy. According to his testimony, Cooper was at home with the couple's two daughters at the time his wife was strangled in a nearby park. Nancy Cooper disappeared on July 12, […]